Nearly every major fitness tracker on the market has security issues that leave their users at risk of tracking by third parties, according to a report from Open Effect.
The Canadian non-profit research organisation found that seven of the eight fitness trackers it looked into emit identifiable signals that means users could be surreptitiously tracked over long periods of time — and some have further security issues, including not encrypting user data. (We first saw Open Effect’s report over on The Daily Dot.)
It’s good news for Apple customers — the Appe Watch is the only device surveyed that got a clean bill of health in the report.
But the Basis Peak, the Fitbit Charge HR, the Garmin Vivosmart, the Jawbone UP 2, the Mio Fuse, the Withings Pulse O2, and the Xiaomi Mi Band all failed on one or more fronts.
The main problem is that the devices have an unchanging MAC address (Media Access Control address) when not paired with a smartphone. This means monitoring equipment could detect this MAC address and use it to track users over extended periods of time without the user’s knowledge.
For example, Open Effect suggests users could be tracking in shopping centres, and the data could be sold to marketers and used by police (emphasis ours):
Our findings directly relate to the case of shopping centres that scan for Bluetooth devices to monitor customer journeys as they move from store to store. As an example, a mall visitor wearing a Fitbit Charge HR might have turned off their phone’s Bluetooth radio to save power, or forgotten their phone at home or in the car. In either case, the Fitbit device would emit advertising packets detectable by the shopping centre’s scanning. Since the Fitbit does not change its MAC address the shopping centre can monitor the presence of the MAC address relative to its scanners and pinpoint the customer’s location. The shopping centre could record all this location data for future study. Where the shopping centre is part of a conglomerate of similar venues, or where the scanning system is provided to the mall by a third party, location records derived from Bluetooth scans from a variety of different venues might be stored together to provide an overview of all the places the organisation has ‘seen’ a particular MAC address.
Law enforcement agencies might also be interested in databases holding Bluetooth MAC addresses. In the case of the shopping mall, authorities might request access to a subset, or all of, the retained records. This has the effect of the collection of Bluetooth MAC information being used far in excess of the reason the devices were emitting advertising packets: to pair with a phone, in order for the user to track their fitness behaviours. The shopping centre could also decide to sell its customer data to a marketing agency or other data broker without first notifying customers.
In contrast, the Apple Watch changes its MAC address when turning on and off, and at ten-minute intervals.
Some devices also failed to properly secure user data, and allow for the faking of health records.
Garmin Connect does not employ basic data transmission security practices for its iOS or Android applications and consequently exposes fitness information to surveillance or tampering,” the report finds. And “Jawbone and Withings applications can be exploited to create fake fitness band records. Such fake records call into question the reliability of that fitness tracker data use in court cases and insurance programs.”
Business Insider reached out to the companies named in the report for comment.
In a statement, Jawbone spokesperson Patrick Sebastian Henkel downplayed the risks. “We do not believe the vulnerability described [Bluetooth tracking] causes significant risk to our users, and we do not believe our users are at risk of having their location tracked over a long period of time,” Jawbone’s statement says. “No user data is transmitted during device discovery. User data is encrypted for transfer and will only be transmitted once a secure connection is established between the activity tracker and a trusted application. Additionally, device discovery is disabled when this connection is active. Prior to the Open Effect findings, this issue had not been raised to our Customer Care team.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.